[3.3] gimp: Use-after-free vulnerabilities in the channel and layer properties parsing proces (CVE-2016-4994)
The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION,
PROP_ACTIVE_CHANNEL saves the current object pointer the
info structure. Others like PROP_SELECTION (for channel) and PROP_GROUP_ITEM (for layer) will delete the current object and create a new object, leaving the pointers in
info
invalid (dangling).
References:
https://bugzilla.gnome.org/show\_bug.cgi?id=767873
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-4994
Patch:
https://git.gnome.org/browse/gimp/commit/?id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f
(from redmine: issue id 5860, created on 2016-07-04, closed on 2016-07-20)
- Relations:
- parent #5857 (closed)
- Changesets:
- Revision 980dd637 by Natanael Copa on 2016-07-20T11:07:50Z:
main/gimp: security upgrade to 2.8.18 (CVE-2016-4994)
fixes #5860